Panoptix (Pty) Ltd (henceforth rereferred to as Panoptix) is dedicated to protecting data through the practice of sound Information Security practice and secure software development techniques.
Panoptix recognises that the confidentiality, integrity and availability of information and data created through the use of our software products is of vital importance to the success of our partners and customers. Panoptix takes this responsibility seriously through adherence to sound business practices to ensure compliance with all applicable laws, regulations and obligations.
Security Engineering and Compliance
Panoptix can draw on deep information security experience through qualified personnel that hold, or have held, various security certifications and academic achievements such as the internationally recognized CISSP certification, M.Sc. in Computer Science with a specialisation in Information Security as well as Electrical Engineering degrees .
Over and above the team’s qualifications Panoptix uses 2-Factor Authentication for all critical services and tests its software extensively through the utilisation of cutting-edge Continuous Integration and Continuous Deployment techniques. The most critical software contained in Panoptix’s Hotrod and Bbox offerings are developed in the Rust  programming language which is widely regarded as a great basis for secure software development .
At the core of the Panoptix offering is our Hotrod product. Hotrod has been designed with operational security in mind. Some of the core aspects of default security within Hotrod are:
- TLS support for all API and client software communications, with strict certificate security.
- Hotrod uses JWT (Json Web Token) security for all authentication and authorisation purposes .
- Hotrod requires user authentication for all operations, and API-KEY authentication for all hotrod-agent authentication.
- Hotrod does not use default passwords under any circumstances, and all JWT pre-shared-keys use AES-256 encryption which are randomly generated if not overridden by the end-user.
- Hotrod is centrally managed, all configurations are visible and auditable by administrators.
Hotrod is regularly deployed on Bbox, Bbox is a centrally managed appliance developed by Panoptix to ease the deployment of Hotrod software and to give customers visibility into the edge of their networks. From its inception Bbox has been designed to limit its attack surface. Some core aspects of Bbox security are:
- Bbox uses a single network-exposed port (ssh) and publishes no other software services, this limits the potential for misuse due the exploitation of network facing services.
- The Bbox user interface is deliberately limited and protected by a unique per-Bbox password, network-based administrators are limited to changing only a handful of safe settings on the Bbox itself.
- All Panoptix software on the Bbox is built with the Rust programming language to limit the potential for security issues such as memory corruption bugs.
- With Bbox in the Hotrod 2.x series all communication with the Bbox Management System/BMS (sometimes erroneously referred to as Hotrod) is securely managed via Saltstack, Saltstack uses strong a strong cryptographic handshake between its agents and server to ensure that Man-In-The-Middle attacks are infeasible. All communication between the salt agent and server is strongly encrypted.
- All primary operations of Bbox is managed centrally on the BMS, enabling full visibility of fleet-wide Bbox settings and limiting the need for field-service.
- Bbox is based on Ubuntu LTS (Long Term Support) releases in order to provide the highest quality of curated Open Source software with stability guarantees. 
Hotrod Pipes are deployed by Hotrod-Agent (deployed stand-alone or as a part of Bbox). Pipes are centrally managed and auditable via the Hotrod server, with Panoptix it is possible to securely administer all data gathering and forwarding activities centrally from within Hotrod. Some core aspects of Pipes security are:
- Developed in Rust to ensure performance, stability and memory-safety.
- Supports TLS for http, AMQP and Redis inputs and outputs.
- Supports data anonymisation and encryption through Pipe DSL actions, to allow for the operation of Hotrod in environment with elevated privacy and security concerns.
- Support the generation of metadata to allow sensitive data to be processed in a customer environment with only summarised or actionable events egressing to service providers or Hotrod operators.
Hotrod is by it's nature a decentralised system, and is often deployed into highly sensitive and secure enterprise environments. Over and above the data privacy features that Hotrod supports in Hotrod Pipes the following security features specific to large, distributed deployments are also available:
- The Hotrod Server (hotrodd) automatically generates a unique Eliptic Curve certificate and private key (ECDSA signing using the P-256 curves and SHA-256) for every Hotrod Agent.
- Each Hotrod Pipe is cryptographically signed by the server to enable it to run on it's intented Hotrod Agent.
- The Hotrod Pipe executable that runs in the customer environment will only start cryptographically verified Hotrod Pipes. This means that the Hotrod Pipe executable cannot be misused within customer environments and will only run cryptographically verified Hotrod Pipes on its intented Hotrod Agents.
- Administrators can disable automatic updates on the Hotrod Agent which enables an administrator to first verify and approve Hotrod Pipes targeted at their infrastructure, a manual action on the Hotrod Agent is then required for the update to then propagate, allowing the responsible administrators to have the final say about what runs on their infrastructure.
Available with Hotrod version 2.5
Hotrod and Bbox caters for large teams of administrators and specialists to cooperate in the management of the Bbox appliances as well as the administration of Hotrod, some capabilities include:
- The ability to associate an Administrator, Hotrod Agent and Bbox with one or more tenants.
- Super Administrators, that can view and edit all Hotrod Agents and Bboxes.
- Tenant Administrators are only able to add Hotrod Agents and Bboxes to their assigned tenant, as well as only being able to view and edit Hotrod Agents and Bboxes in their specified tenants.
Available with Hotrod version 2.5
Hotrod and Bbox software is constantly being improved by Panoptix, bug-fixes and improvements are securely distributed to partners. From time to time as the software is altered or as new business requirements come to light this Security Statement may be improved, for the latest version always refer to: https://panoptix.io/security/
All Panoptix software is governed by the Panoptix End User License Agreement, of which the latest version which can be found here: https://panoptix.io/policies/eu-license-agreement/
This Security Statement is subjugated to all terms and conditions of the EULA and should be interpreted as a statement of intent, with no additional warranties or guarantees that are not explicitly stated in the Panoptix End User License Agreement.